[j-nsp] Forwarding IPv6 link-local packets?
Harry Reynolds
harry at juniper.net
Thu Apr 26 18:31:43 EDT 2012
Update. The better pr is 556860, which shows closed as not fixed. PR 573100 is considered a new feature and cannot be made visible externally. <Oops>.
I will try and flip 556860 to externally visible.
Also, I hear that SRX platforms have been fixed already. Not sure of release.
Regards
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Harry Reynolds
Sent: Thursday, April 26, 2012 3:26 PM
To: Chris Adams; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Forwarding IPv6 link-local packets?
Hey Chris. This is a known issue, tracked by internal pr 573100. I will flip that to externally visible so customers can see.
Appears fixed only on trio as of 13.3. There was talk of a possible work around, as below, but not clear it was ever tested/confirmed:
<< possible WA:
why don't we install the link-local routes with a discard nexthop
(to match destination link-locals) and add a uRPF strict check to it
(to match source-link-locals) ?
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Chris Adams
Sent: Thursday, April 26, 2012 1:58 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Forwarding IPv6 link-local packets?
I noticed some (anti-spoofing) IPv6 filter drops got logged, so I went
to track down the source of the problem. Annoyingly, the source address
was a link-local address (although the destination addresses were on the
Internet). I tracked down the source (only because I don't have a lot
of IPv6 traffic yet).
My question is this: why is a packet with a link-local source forwarded
at all? I have uRPF enabled on the interface, but I guess since
fe80::/64 is considered a valid route for all IPv6 interfaces, uRPF
won't catch that. Is there any practical way to turn off link-local
forwarding, other than to apply filters to every interface?
Or am I just missing something obvious?
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list